Line break in grok pattern

mariana17 · January 31, 2023, 8:40pm

I am trying to get the data from a log, however in the middle of the log there is a line break which prevents the Grok filter from reading it correctly. If I adjust it to a single line it works, however, it would require the line break to be found

How could you tell Grok that there will be a jump and take the following data?

This the log

{C-FLOW-ID-CAB APN101MQ C-OPERATION-CAB P T-EVENTO-CAB RUNNING T-EXTERNAL-ID-CAB null F-MESSAGE-CAB 20221018 H-MESSAGE-CAB 601006 C-MESSAGE-ID-CAB DC45D4AA6B3D0000 M-STATUS-CAB 02 
[<FOTO><Status>RUNNING</Status><EVENTO>2022101806:01:00.0</EVENTO></FOTO>]}

This is my grok filter

grok {
        match => { 'message' => '(?:[^:]+) %{WORD:C-FLOW-ID-CAB} (?:[^:]+) %{WORD:C-OPERATION-CAB} (?:[^:]+) %{WORD:T-EVENTO-CAB} (?:[^:]+) %{WORD:T-EXTERNAL-ID-CAB} (?:[^:]+) %{WORD:F-MESSAGE-CAB} (?:[^:]+) %{WORD:H-MESSAGE-CAB} (?:[^:]+) %{WORD:C-MESSAGE-ID-CAB} (?:[^:]+) %{WORD:M-STATUS-CAB} \[%{GREEDYDATA:DETAIL}\]'}
    }

Rios · January 31, 2023, 8:52pm

Can you show how the message looks like? A single line or two lines? Filebear or file should use multiline pattern or if is a single line remove \n from the message with gsub or add \n or .{1,3} in front [<FOTO><Status>...

.{1,3}\[%{GREEDYDATA:DETAIL}\]
\\n\[%{GREEDYDATA:DETAIL}\]

system · February 28, 2023, 8:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok filter cannot parse log lines that are AFTER a multiline event Logstash	8	1960	July 6, 2017
Multiline grok filter not working with specific log Logstash	3	250	April 4, 2022
Can't grok multiline logs Logstash	2	719	December 4, 2017
How do I match a newline in grok/logstash Logstash	13	16450	July 6, 2017
Multiline filter fails on one record when handling a large file Logstash	12	3280	July 6, 2017

Line break in grok pattern

Related Topics